Curiosity is bliss    Archive    Feed    About    Search

Julien Couvreur's programming blog and more

IGN - Single Page View

 

Just finished the IGN - Single Page View user script for Greasemonkey. Instead of having to turn pages, the first page of IGN articles display the content of the whole article.

It keeps the general structure of the ACM Queue - Single Page View script. It's modularized better though, so that it can be re-used as a mini-framework for future "single page view" scripts. Essentially, you need to customize how to compute the url for the next page, how to merge the next page's content into the main page and when to stop loading more pages.

Mark Rickerby also wrote a similar script, called IGN Splicer and we've been in touch over email, but it suffers from some timing issues: if the responses for various pages don't arrive in the right order, the order of the content can get messed up.
In contrast, "IGN - Single Page View" loads the pages sequentially, rather than in parallel, so it doesn't run into that problem.

Greasemonkey security bulletin:
On a separate topic, Mark Pilgrim identified a severe vulnerability in Greasemonkey, earlier this week. Simon also wrote up a good description of the flaw.
The core issue is that powerful APIs (GM_*) that are made available to user scripts can actually be accessed within the scope of the host page.
It is recommended that you upgrade to the "neutered" version of Greasemonkey, 0.3.5, which has all those APIs are disabled as an interim fix. This means some scripts (such as "XMLHttpRequest Tracing") are broken until a proper fix is found. Keep an eye on Greaseblog for updates.

Because this can only be exploited for sites that are @included in at least one script when you visit them, another mitigation is to tighten the configuration. This begins by removing scripts that run on all sites ("@include *").
Also, be sure to have non-ambiguous site specifications. For example, "http://google.com*" would match "http://google.com.evilsite.com", but "http://google.com/*" is safer.

Mark also wrote a script to detect if you are vulnerable, which he runs on Dive Into Greasemonkey. If you run a version other than 0.3.5 or have any "@include *" script, you will get a flashy warning when visiting that site (which has tons of info and tricks on Greasemonkey btw).


Some more Greasemonkey related news:
A new user script repository service was launched, Greasemonkeyed.com.

comments powered by Disqus